PAN-SA-2023-0002 Informational Bulletin: Impact of Rorschach Ransomware
Informational
Description
The Palo Alto Networks Product Security Assurance team is aware of an article that details a strain of ransomware dubbed “Rorschach.”
When removed from its installation directory, the Cortex XDR Dump Service Tool (cydump.exe), which is included with Cortex XDR agent on Windows, can be used to load untrusted dynamic link libraries (DLLs) with a technique known as DLL side-loading. Rorschach ransomware uses a copy of this tool and this technique to evade detection on systems that do not have sufficient endpoint protection.
When the Cortex XDR agent is installed on Windows and the Cortex XDR Dump Service Tool process is running from the installation path, it is not possible to side-load DLLs with this technique. The security permissions and protections of the installed Cortex XDR agent prevent it.
The ransomware is detected and blocked by Cortex XDR agent 7.7 and later versions with CU-240 (released November, 2021) and later content updates. This issue does not represent a product vulnerability risk to customers using Cortex XDR agent. This issue is not applicable to Mac OS and Linux platforms.
Product Status
Versions | Affected | Unaffected |
---|---|---|
Cortex XDR Agent 5.0 | All agents on Windows | None |
Cortex XDR Agent 7.5 CE | All agents on Windows | None |
Cortex XDR Agent 7.8 | < Agents with content update earlier than CU-240 on Windows | >= Agents with CU-240 or a later content update on Windows |
Cortex XDR Agent 7.9 CE | < Agents with content update earlier than CU-240 on Windows | >= Agents with CU-240 or a later content update on Windows |
Cortex XDR Agent 8.0 | < Agents with content update earlier than CU-240 on Windows | >= Agents with CU-240 or a later content update on Windows |
Exploitation Status
Palo Alto Networks is aware of the Rorschach ransomware that is using this DLL side-loading technique.
Solution
New versions of Cortex XDR agent will be released to prevent this misuse of our software.
Cortex XDR agent content update CU-910 further detects and prevents this DLL side-loading technique.
This informational bulletin will be updated once ETAs and these software updates are available.
No updates are planned for Cortex XDR agent 5.0 as it does not have the relevant Behavioral Threat Protection module required to detect this technique.
Frequently Asked Questions
Q. Are Cortex XDR customers at risk for this ransomware?
Palo Alto Networks has verified that Cortex XDR agent 7.7, and newer versions, with content update version 240 (released November, 2021), and later content updates, detect and block the ransomware. A new content update will be released next week to detect and prevent the usage of this DLL side-loading technique. These protections do not apply to unsupported Cortex XDR agent versions not listed in this advisory.
Q. Is this a product vulnerability? Can this be exploited to run malware on endpoints with XDR?
No. When the Cortex XDR agent is installed on Windows and the Cortex XDR Dump Service Tool process is running from the installation path, it is not possible to side-load DLLs with this technique. The security permissions and protections on the installed agent prevent this technique.
Q. Is WildFire detecting this ransomware?
Yes. WildFire combines multiple techniques - including machine learning, static analysis, and dynamic analysis - to detect and provide protection against threats like Rorschach ransomware.
Q. I am a PANW customer, but don’t use Cortex XDR. Am I at risk?
Rorschach ransomware uses a copy of Cortex XDR Dump Service Tool and this DLL side-loading technique to evade detection on systems that do not have sufficient endpoint protection. This poses the same risk as other malware utilizing DLL side-loading techniques.
Q. A security scanner is flagging cydump.exe as malware. How do I determine it is harmless?
Ensure that the Cortex XDR Dump Service Tool (cydump.exe) is present in the appropriate directory where the Cortex XDR agent is installed.